How to capture packets from a network with tcpdump and get an FTP login password.
I used this tcpdump command line to capture packets traveling over my network, this was intended to capture an FTP login. I am using an Anonymous login as a example, but there is still a password involved. This way, I can capture an FTP login easily, if I know someone on the network is doing FTP tasks.
localhost /home/jason # tcpdump -A port ftp -i wlp2s0 > dump.out |
Now I can get the FTP password from the capture file.
localhost /home/jason # cat dump.out | grep PASS 01:59:57.344755 IP 10.1.1.219.36564 > ftp6.gwdg.de.ftp: Flags [P.], seq 17:43, ack 199, win 237, options [nop,nop,TS val 2057831 ecr 1933241270], length 26: FTP: PASS mozilla@example.com ..fgs:..PASS mozilla@example.com |
That is how I managed to capture packets from a FTP session without needing Wireshark installed.
To get information about hosts on a network, use the netdiscover command as root.
┌─[✗]─[root@parrot]─[/home/user] └──╼ # netdiscover -r 10.1.1.0/24 |
This is the output that you should get, this shows the IP and MAC addresses of all network nodes.
Currently scanning: Finished! | Screen View: Unique Hosts 9 Captured ARP Req/Rep packets, from 3 hosts. Total size: 540 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 10.1.1.1 e0:b9:e5:b8:31:ba 7 420 Technicolor 10.1.1.40 00:13:46:3a:02:83 1 60 D-Link Corporation 10.1.1.184 f0:25:b7:fa:01:4a 1 60 Unknown vendor |
Another way to scan for live hosts on a LAN is with Nmap. This example will return only live hosts on the network.
┌─[root@parrot]─[/home/user] └──╼ # nmap -sP -PA21,22,25,3389 10.1.1.0/24 #21 is used by ftp Starting Nmap 7.50 ( https://nmap.org ) at 2017-07-17 12:57 UTC Nmap scan report for dsldevice.lan (10.1.1.1) Host is up (0.00054s latency). MAC Address: E0:B9:E5:B8:31:BA (Technicolor) Nmap scan report for BLUFOR.lan (10.1.1.40) Host is up (-0.088s latency). MAC Address: 00:13:46:3A:02:83 (D-Link) Nmap scan report for 10.1.1.184 Host is up (-0.091s latency). MAC Address: F0:25:B7:FA:01:4A (Samsung Electro-mechanics(thailand)) Nmap scan report for parrot.lan (10.1.1.7) Host is up. Nmap done: 256 IP addresses (4 hosts up) scanned in 19.41 seconds |